authorization.txt 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
  1. Authorizing (or not) your USB devices to connect to the system
  2. (C) 2007 Inaky Perez-Gonzalez <inaky@linux.intel.com> Intel Corporation
  3. This feature allows you to control if a USB device can be used (or
  4. not) in a system. This feature will allow you to implement a lock-down
  5. of USB devices, fully controlled by user space.
  6. As of now, when a USB device is connected it is configured and
  7. its interfaces are immediately made available to the users. With this
  8. modification, only if root authorizes the device to be configured will
  9. then it be possible to use it.
  10. Usage:
  11. Authorize a device to connect:
  12. $ echo 1 > /sys/bus/usb/devices/DEVICE/authorized
  13. Deauthorize a device:
  14. $ echo 0 > /sys/bus/usb/devices/DEVICE/authorized
  15. Set new devices connected to hostX to be deauthorized by default (ie:
  16. lock down):
  17. $ echo 0 > /sys/bus/usb/devices/usbX/authorized_default
  18. Remove the lock down:
  19. $ echo 1 > /sys/bus/usb/devices/usbX/authorized_default
  20. By default, Wired USB devices are authorized by default to
  21. connect. Wireless USB hosts deauthorize by default all new connected
  22. devices (this is so because we need to do an authentication phase
  23. before authorizing).
  24. Example system lockdown (lame)
  25. -----------------------
  26. Imagine you want to implement a lockdown so only devices of type XYZ
  27. can be connected (for example, it is a kiosk machine with a visible
  28. USB port):
  29. boot up
  30. rc.local ->
  31. for host in /sys/bus/usb/devices/usb*
  32. do
  33. echo 0 > $host/authorized_default
  34. done
  35. Hookup an script to udev, for new USB devices
  36. if device_is_my_type $DEV
  37. then
  38. echo 1 > $device_path/authorized
  39. done
  40. Now, device_is_my_type() is where the juice for a lockdown is. Just
  41. checking if the class, type and protocol match something is the worse
  42. security verification you can make (or the best, for someone willing
  43. to break it). If you need something secure, use crypto and Certificate
  44. Authentication or stuff like that. Something simple for an storage key
  45. could be:
  46. function device_is_my_type()
  47. {
  48. echo 1 > authorized # temporarily authorize it
  49. # FIXME: make sure none can mount it
  50. mount DEVICENODE /mntpoint
  51. sum=$(md5sum /mntpoint/.signature)
  52. if [ $sum = $(cat /etc/lockdown/keysum) ]
  53. then
  54. echo "We are good, connected"
  55. umount /mntpoint
  56. # Other stuff so others can use it
  57. else
  58. echo 0 > authorized
  59. fi
  60. }
  61. Of course, this is lame, you'd want to do a real certificate
  62. verification stuff with PKI, so you don't depend on a shared secret,
  63. etc, but you get the idea. Anybody with access to a device gadget kit
  64. can fake descriptors and device info. Don't trust that. You are
  65. welcome.
  66. Interface authorization
  67. -----------------------
  68. There is a similar approach to allow or deny specific USB interfaces.
  69. That allows to block only a subset of an USB device.
  70. Authorize an interface:
  71. $ echo 1 > /sys/bus/usb/devices/INTERFACE/authorized
  72. Deauthorize an interface:
  73. $ echo 0 > /sys/bus/usb/devices/INTERFACE/authorized
  74. The default value for new interfaces
  75. on a particular USB bus can be changed, too.
  76. Allow interfaces per default:
  77. $ echo 1 > /sys/bus/usb/devices/usbX/interface_authorized_default
  78. Deny interfaces per default:
  79. $ echo 0 > /sys/bus/usb/devices/usbX/interface_authorized_default
  80. Per default the interface_authorized_default bit is 1.
  81. So all interfaces would authorized per default.
  82. Note:
  83. If a deauthorized interface will be authorized so the driver probing must
  84. be triggered manually by writing INTERFACE to /sys/bus/usb/drivers_probe
  85. For drivers that need multiple interfaces all needed interfaces should be
  86. authroized first. After that the drivers should be probed.
  87. This avoids side effects.